What is “data protection officer“ and when you are required to appoint one?

Who is the data controller and who is the data processor?

Natural persons or legal entities, public authorities, agencies or other structures may be personal data controllers or processors. If a person is a personal data controller, he must define individually or together with others, the respective objectives and means for the personal data processing. If the objectives and means are defined by law, the controller can also be specified by law. Тhe personal data processor processes the data on behalf of the controller.

Important to know

The personal data controller defines separately or together with others, the objectives and means for the personal data processing. Тhe personal data processor processes the data on behalf of the controller.

If the controller, objectives or means are not defined by law, these need to be defined separately by your company, based on the provisions of the Regulation. In order to define the controller and the processor, the key question is “Who determines the objectives and means?”. In order to determine the objectives, we must answer the question “Why?“, and for the means – the question “How?“. A detail, further helping the defining of the objectives however, is absent, as it was already clarified. Тhe Regulation contains no clear definition of the means, either but Opinion 1/2010 of the Article 29 Working Party clarifies that these include not only the technical, but also the organizational parameters of the processing, such as who will have access to the data, when will the data be erased, etc.

The processor may determine the means or part thereof for the processing of personal data. This happens often, when the company concludes contract with a cloud service provider, who regulates the precise technical parameters of the protection and may also be concerned with organization of the storage. Тhe objectives, however, are always defined by the controller, as well as the need of access, storage, organization, for achieving the objectives.

Important to know

The means for personal data processing do not only include the technical means, but also the method of organization of the data protection. A part thereof must be determined by the processor. Тhe objectives, however, are always determined by the controller.

Often a company is not only a controller and not only a processor. For some processes, the company is the controller (e.g., regarding the workers at the enterprise), and for other – the processor (if it provides cloud services to its clients). It is possible that with respect to a specific process, the person is a controller, and subsequently, if the circumstances change, it becomes the processor of the same data.

It is important to clearly define the processes of data processing and subsequently the role of the person at each specific moment. Additional information in this case, can be found in Opinion 1/2010 regarding the definitions of “controller“ and “processor“ of the Article 29 Working Party. Тhe opinion provides examples of the cases, when a company or a person, may be defined as a controller or processor. If the company decides to transfer part of its legal obligations to a subcontractor, usually the subcontractor is the data processor, as for example, the use of cloud service provider or a company, providing “labour and payroll” services. In case, however a company or person provides services independently by law and is responsible for such services, e.g. accountants (excluding “labour and payroll“), accounting firms or self-employed auditors, audit enterprises, postal service providers, mobile telephone operators, etc., such persons represent personal data controllers.

Important to know

The controller is responsible for the implementation of appropriate technical and organizational measures, in order to effectively apply the data protection principles, to observe the requirements of the legislation and to protect data subjects’ rights.

Important to know

It is important that a personal data processing contract is signed between the controller and the processor, establishing how the responsibilities will be allocated between them, with respect to the technical and organizational measures concerning the personal data processing.

The contract between the controller and the processor aims at ensuring full compliance with the Regulation and the responsibilities in case of personal data breaches (for the term of personal data breach see here and here). Тhe contract must include clauses, required in conformity with the Regulation such as the processor having obligation to process data, based only on controller’s documented order and that the controller is entitled to make inspections of the processor in order to verify the compliance with the rules for the technical and organizational measures for processing, etc. Also, the personal data processor must notify the controller, if she/he plans to use subcontractors in the personal data processing or to replace an existing subcontractor. Тhe processor must ensure that the subcontractor will observe the obligations towards the controller, already agreed with the latter in the contract.

When two or more controllers jointly determine the objectives and means of the processing, these are considered joint controllers. Тhey may allocate their responsibilities and liabilities. An example of joint controllers is a recruitment agency, searching for employees for positions in another company – client.

Important to know

If a company is not established in the European Union, but it processes personal data of EU persons, such company is the controller of such data and must be established in one of the Member States, the data of the citizens of which, such the company processes.

What is data protection officer and when you are required to appoint one?

Important to know

A Data Protection Officer must be appointed, if the main activities of the company require regular and systematic large-scale monitoring of the data subjects.

Important to know

Monitoring does not only mean observation of the behavior of the data subjects on the internet or due to medical or mental (i.e. psychic) reasons. Monitoring may also mean internal surveillance system in the company, processing personal data.

The Data Protection Officer may also be appointed voluntarily by the company.

The Data Protection Officer must be a person with expertise in the legislation and practices in the area of personal data protection and capable of performing the tasks, assigned by the Regulation. Data Protection Officers are usually appointed by both the controller and the processor. Such a person may be an employee of the company or a person, with whom the company has signed a contract for the provision of such services.

If the Data Protection Officer is an employee of the company, she/he can perform only that function in the company or to combine that function with another. In case of combination of the functions, there should be no conflict of interests, and this requires a thorough analysis. Тhe Article 29 Working Party has published Guidelines on the Data Protection Officers, which can provide useful information regarding the obligations, related to that position and how to choose the right person within your organization.

The Data Protection Officer must be provided with sufficient resources by the management, in order to enable him to properly perform his tasks. Such person must occupy a position, high enough in the hierarchy of the company, so that he can act independently and provide the necessary consulting to the management with view of the observation of the personal data protection rules. Such person must also be trusted by the workers, so that they can confidentially notify him of any personal data breaches.

The key tasks of the Data Protection Officer are related to provision of information and advice, with respect to: company’s obligations as a controller or processor; monitoring of the compliance with the Regulation and the legislation, related to personal data protection, as well as to provision o advice with regard to the impact assessment and cooperation with the supervisory authority, acting as the contact point with the authority.

Important to know

The contact details of the Data Protection Officer must be published by the company, either on company's website and also to be submitted to the Commission for Personal Data Protection.